Issue:
How does the Protect the hosts file security feature work with WithSecure security product on a Windows host?
What happens to an already modified hosts file when WithSecure security product is installed?
Resolution:
The Protect the Hosts file security feature monitors if there have been any changes made to the hosts file in a Windows system. If the feature detects a non-default hosts file, it will alert of a redirected hosts file and replace it with a hosts file with the following content:
#
# Copyright (c) 2007 F-Secure Corporation
#
# This is a HOSTS file created during malware removal.
#
# Your original HOSTS file was infected and it was replaced
# by this file containing only clean default entries.
# The original HOSTS file may be restored from the product's
# quarantine feature.
#
127.0.0.1 localhost
::1 localhost
If a hosts file has been modified before the installation of Client Security, the modified hosts file will be detected during the first system scan.
If the hosts file is modified during a time when the Protect the hosts file feature has been disabled, the modified hosts file will be detected when the feature is turned back on.
Follow these steps to turn off the Protect the hosts file feature.
For Policy Manager:
- Log in to Policy Manager Console
- Select the policy domain or host from the Domain Tree
- Go to the Settings tab and select Advanced view
- Navigate to: F-Secure Anti-Spyware > Settings > Anti-Spyware Scanner > Real-Time Scanning > Real-Time Scanning Options > Protect the "hosts" File
- Disable the setting
- Distribute the policy (Ctrl + D)
For Elements Endpoint Protection:
- Log on to the WithSecure Elements Security Center portal (https://elements.withsecure.com)
- Expand the Security Configurations tab and go to Profiles
- Click on your profile to edit the settings
- Go to the Real-time scanning > Protect Hosts File
- Disable the setting
- Click Save and publish
Article no: 000019105